Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The TransferOutAndCallV5 event is not caught by smartcontract_log_parser.go #121

Open
c4-bot-9 opened this issue Jun 11, 2024 · 0 comments
Open

The TransferOutAndCallV5 event is not caught by smartcontract_log_parser.go #121

c4-bot-9 opened this issue Jun 11, 2024 · 0 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working 🤖_19_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-9
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-06-thorchain/blob/main/bifrost/pkg/chainclients/shared/evm/smartcontract_log_parser.go#L22-L26
https://github.com/code-423n4/2024-06-thorchain/blob/main/bifrost/pkg/chainclients/shared/evm/smartcontract_log_parser.go#L295-L337

Vulnerability details

Impact

The contract and more precisely the events of the version 5 of the protocol are not integrated as expected.

Actions that should be undertaken by the Bifrost are ignored, leading to inconsistencies in the entire protocol such as accounting errors and potential loss of funds.

Proof of concept

In the previous version of the protocol, the smartcontract_log_parser.go was responsible for listening to multiple events emitted by THORChain_Router.sol :

https://github.com/code-423n4/2024-06-thorchain/blob/main/bifrost/pkg/chainclients/shared/evm/smartcontract_log_parser.go#L22-L26

const (
	NativeTokenAddr         = "0x0000000000000000000000000000000000000000"
	depositEvent            = "0xef519b7eb82aaf6ac376a6df2d793843ebfd593de5f1a0601d3cc6ab49ebb395" // cast keccak "Deposit(address,address,uint256,string)"
	transferOutEvent        = "0xa9cd03aa3c1b4515114539cd53d22085129d495cb9e9f9af77864526240f1bf7" // cast keccak "TransferOut(address,address,address,uint256,string)"
	transferAllowanceEvent  = "0x05b90458f953d3fcb2d7fb25616a2fddeca749d0c47cc5c9832d0266b5346eea" // cast keccak "TransferAllowance(address,address,address,uint256,string)"
	vaultTransferEvent      = "0x281daef48d91e5cd3d32db0784f6af69cd8d8d2e8c612a3568dca51ded51e08f" // cast keccak "VaultTransfer(address,address,(address,uint256)[],string)"
	transferOutAndCallEvent = "0x8e5841bcd195b858d53b38bcf91b38d47f3bc800469b6812d35451ab619c6f6c" // cast keccak "TransferOutAndCall(address,address,uint256,address,address,uint256,string)"
)

Once one of these events has been intercepted, it is parsed and actions are undertaken by Bifrost depending on the nature of the emission.

One of these actions is transferOutAndCallEvent, described here and is triggered in the transferOutAndCall() function of the smart contract.

The version 5 of the protocol introduced a similar event in a new function of the smart contract called _transferOutAndCallV5() which emits TransferOutAndCallV5.

As you can see, this particular event does not figure in the list of events in smartcontract_log_parser.go and is thus never intercepted nor processed while it should be.

Tools used

Manual review

Recommended mitigation steps

Define the corresponding event in smartcontract_log_parser.go and implement the actions to undertake when it is intercepted.

Assessed type

Context
@c4-bot-9 c4-bot-9 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 11, 2024
c4-bot-6 added a commit that referenced this issue Jun 11, 2024
@c4-bot-6
Greed issue #121
0fd6feb
@c4-bot-12 c4-bot-12 added the 🤖_19_group AI based duplicate group recommendation label Jun 12, 2024
howlbot-integration bot added a commit that referenced this issue Jun 14, 2024
@howlbot-integration
Greed update issue #121
74f12bd
@howlbot-integration howlbot-integration bot added the sufficient quality report This report is of sufficient quality label Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working 🤖_19_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c4-bot-9 @c4-bot-12